Two clients Alice and Bob use a server to login and exchange messages through the server. On login, they both send their public keys to be stored on the server. When Alice wants to speak to Bob, she enrypts a symmetric key with Bob's public key and sends it to Bob through the server.
How can I make sure that the server doesn't make its own public key pair and send it to Alice instead of Bob's public key. This way the server will first decrypt what Alice has sent and encrypt it again using Bob's real public key.
Thanks
Since Alice and Bob can not trust the server, they must find another way of confirming each other's keys. One possibility is rely on another party. If Bob trusts Candice (and knows Candice's public key), who knows Alice, Candice can sign Alice's public key then send the signed version to Bob. This is called web of trust.
By having Bob's certificate signed by a trusted third party (Verisign, your corporation, a web of trust, etc.), or by having Bob send his certificate to Alice through a separate secure path out of band (handing her a USB key in person for instance).
Both of these get to the heart of what Bob's certificate is supposed to mean. You only trust that Bob's certificate is Bob's certificate because someone you trust has certified it. That "someone" can be Bob himself or a trusted third party who signs Bob's certificate. You only ever can trust this as much as you trust the certifier.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With